Securing insurance coverage for BIPA class actions a growing challenge
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
Corporate policyholders face increasing challenges in securing insurance coverage for Illinois Biometric Information Privacy Act (BIPA) class action litigation, with the legal landscape becoming much more adverse to policyholders in recent years. Policyholders were dealt another blow in Tony’s Finer Foods Enters., Inc. v. Certain Underwriters at Lloyd’s, London, 2024 IL App (1st) 231712, where the Illinois First District Appellate Court held that a cyber liability policy did not afford coverage in the absence of any allegations that the BIPA claims at issue arose from a “data breach” or “security failure,” and also that the policy’s “violation-of-law” exclusion expressly barred coverage.
Tony’s demonstrates the uphill battle faced in obtaining coverage for BIPA class disputes, and serves as a reminder for policyholders to proactively review their current policies to determine the extent of coverage, and any potential exclusions, before they find themselves as a litigant in BIPA class action litigation. At the same time, Tony’s also highlights the need for strict compliance with BIPA, which can aid policyholders in avoiding these thorny coverage issues in the first instance.
Background
A former employee of Tony’s Finer Foods (Tony’s), a grocery store operator, filed a putative BIPA class action lawsuit against the grocer arising out of its use a biometric fingerprint time and attendance system. The former employee alleged that Tony’s violated Illinois’s biometrics law by: (1) failing to publish its schedule for the permanent deletion of biometric data; (2) failing to obtain written informed consent for the collection of employees’ biometric data; and (3) disclosing employees’ biometric data to its biometric fingerprint scanner technology provider and other unaffiliated third parties.
Tony’s maintained a cyber liability policy issued by Certain Underwriters at Lloyd’s, London (Lloyds), which provided coverage for losses “resulting from a data breach, security failure, or extortion threat that first occurs on or after the retroactive data and is discovered by the insured during the policy period.” The policy defined “data breach” to mean “the acquisition, access, or disclosure of personally identifiable information or confidential corporate information by a person or entity, or in a manner, that is unauthorized by the insured,” and “security failure” as “any failure by the insured or by others on the insured’s behalf (including the insured’s subcontractors, outsources, or independent contractors) in securing the insured’s computer system.”
Also contained in the policy was a violation-of-law exclusion pertaining to “any actual or alleged: (a) collection of information by the insured (or on the insured’s behalf) without the knowledge or permission of the persons to whom such information relates; or (b) use of personally identifiable information by the insured (or others on the insured’s behalf) in violation of law.”
After Lloyd’s denied coverage, Tony’s filed a declaratory judgment action and the parties filed cross-motions for summary judgment. The court granted summary judgment to Tony’s, holding that Lloyd’s had a duty to defend because the allegations in the underlying BIPA action potentially fell within the policy’s coverage for losses resulting from “a data breach, security failure, or extortion threat.” Lloyd’s appealed.
The decision
The First District Appellate Court reversed, holding that Lloyd’s had no duty to defend. The court reasoned that the underlying allegations did not constitute a “data breach,” as the BIPA complaint was devoid of any allegations that a third party obtained employee biometric data without Tony’s authorization. Just the opposite, the underlying complaint alleged that Tony’s itself collected, stored, used, and disseminated its employees’ biometric data. The court further reasoned that the underlying allegations did not constitute a “security incident,” as the complaint was devoid of any allegations that Tony’s failed to secure its computer systems. Instead, the complaint was silent on this issue. Together, the court held that coverage did not exist under the cyber liability policy.
In addition, the court also held that the cyber liability policy’s violation-of-law exclusion—applicable to the “collection of information . . . without the knowledge or permission of the persons to whom such information relates”—precisely described the allegations in the underlying BIPA dispute, and thus “clearly applied” to independently bar coverage.
Underlying uncertainty in securing insurance coverage for BIPA class actions
Tony’s is not the first decision finding BIPA claims to fall outside the scope of coverage under a cyber liability policy. For example, in Remprex, LLC v. Certain Underwriters at Lloyd’s London, 2023 IL App (1st) 211097, an Illinois appellate court held that an insurer had no duty to defend an underlying BIPA class action under a cyber liability policy where the BIPA complaint contained no allegations that an unauthorized third party accessed individuals’ personal information and shared it with the public. Instead, the complaint merely alleged that the insured had engaged in the unauthorized collection of those individuals’ personal information without their consent, in violation of the Illinois law.
In addition, other courts have also found violation-of-law exclusions similar to the one at issue in Tony’s to bar coverage for BIPA class action disputes. See, e.g., Nat’l Fire Ins. Co. of Hartford and Continental Ins. Co. v. Visual Pak Co., Inc., 2023 IL App (1st) 221160; Westfield Ins. Co. v. Ucal Sys., Inc., No. 21 CV 3227, 2024 U.S. Dist. LEXIS 138237 (N.D. Ill. Aug. 5, 2024).
With that said, some courts considering the same policy language have reached the opposite conclusion, i.e., that violation-of-law exclusions do not bar coverage for BIPA class action lawsuits. See, e.g., Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., No. 21 CV 788, 2023 U.S. Dist. LEXIS 9282, at *5-7 (N.D. Ill. Jan. 19, 2023); Citizens Ins. Co. of Am. v. Highland Baking Co., No. 20 CV 4997, 2022 U.S. Dist. LEXIS 74280, at *1 (N.D. Ill. Mar. 29, 2022).
Practical tips and strategies
Comprehensive insurance coverage review
With the outsized damages exposure arising from BIPA class action litigation, insurers have mounted an aggressive campaign to block policyholders from obtaining coverage in these high-exposure suits. Central to this campaign has been insurers’ attempts to limit coverage by arguing that several different exclusions, including the violation-of-law exclusion discussed above, bar coverage for BIPA claims. Further complicating matters, and also indicated above, courts have addressed coverage for underlying BIPA suits differently, leading to significant uncertainty regarding the applicability of coverage for litigation involving purported non-compliance with Illinois’s biometrics law.
With the stakes so high, policyholders should consider consulting with experienced outside biometrics counsel to carefully review and evaluate all of their insurance policies that may be triggered by a BIPA claim—including cyber liability, commercial general liability (CGL), employment practices liability, directors and officers liability, errors and omissions, and any other specialty coverages—for exclusionary language or other issues that may present potential challenges for securing coverage in connection with BIPA class disputes.
At the same time, given the significant risk and exposure associated with BIPA litigation, companies may also consider obtaining supplemental coverage specifically designed to provide coverage for BIPA claims. These more specialized policies can provide policyholders with a vital added layer of protection in the event its more standard cyber liability or CGL policies fail to afford coverage.
Maintain strict, ongoing compliance with BIPA
To avoid the potential challenges and pitfalls associated with insurance coverage in the context of BIPA class action disputes, companies should make it a priority to ensure strict compliance with Illinois’s biometrics law. Companies should consider reviewing their current biometrics compliance programs to ensure they align with BIPA’s core legal obligations, which entail:
- Privacy Policy. A written, publicly-available privacy policy must be maintained that contains, at a minimum, the company’s data retention schedule and its guidelines for permanently deleting biometric data within BIPA’s applicable time limitations.
- Data Retention & Destruction. Biometric data must be permanently deleted at the earlier of the following: (1) when the initial purpose for collecting the biometric data has been satisfied; or (2) within three years of an individual’s last interaction with the company.
- Written Notice. Written notice must be supplied to data subjects before the time biometric data is collected, and must contain: (1) notice that biometric data is being collected; (2) the specific purpose(s) for which biometric data will be used; and (3) the period of time biometric data will be retained before it is permanently deleted.
- Written Consent. Written consent must be obtained from data subjects before biometric data is collected authorizing the company to: (1) collect and use biometric data; and (2) disclose or share biometric data with third parties.
- Disclosure Limitations. In the absence of consent, biometric data cannot be disclosed or shared with any third parties unless the disclosure satisfies one of three narrow exemptions permitting such disclosures.
- Transactional Prohibition. Biometric data must not be sold, leased, or otherwise used in a manner that can be construed as “profiting from” biometric data.
- Data Security. Biometric data must be stored, transmitted, and protected from disclosure: (1) using the reasonable standard of care applicable to the company’s industry; and (2) in a manner that is the same as, or more protective than, the manner in which the company stores, transmits, and protects other forms of confidential and sensitive information.
About the author
David J. Oberly is Of Counsel in the Washington, D.C. office of Baker Donelson, and leads the firm’s dedicated Biometrics practice. Recognized as “one of the nation’s foremost thought leaders in the biometric privacy space” by LexisNexis, David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. In addition, David has deep experience in litigating bet-the-company BIPA class action disputes. He is also the author of Biometric Data Privacy Compliance & Best Practices—the first and only full-length treatise of its kind to provide a comprehensive compendium of biometric privacy law. He can be reached at doberly@bakerdonelson.com. You can also follow David on X at @DavidJOberly.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
Article Topics
biometric data | biometric identifiers | Biometric Information Privacy Act (BIPA) | biometrics | cybersecurity | data protection | David Oberly | lawsuits
Comments